Hardware Bug Detection
ConceptIn the provided evidence, hardware bug detection is illustrated by MorFuzz, a generic RISC-V processor fuzzer that uses runtime instruction morphing and state synchronization to find software-triggerable hardware bugs in real-world open-source processors (CVA6, Rocket, BOOM) and even in the Spike reference model, discovering 17 new bugs with 13 CVEs assigned.
First seen 5/29/2026
Last seen 6/6/2026
Evidence 9 chunks
Wiki v2
WIKI
Hardware Bug Detection
Scope of the evidence
In the provided evidence, hardware bug detection is demonstrated through MorFuzz, a generic RISC-V processor fuzzer published at USENIX Security 2023 (paper title: MorFuzz: Fuzzing Processor via Runtime Instruction Morphing). MorFuzz is described as a novel processor fuzzer that can detect software-triggerable hardware bugs efficiently. The authors release the source code at https://github.com/sycuricon/MorFuzz.
How MorFuzz approaches hardware bug detection
MorFuzz addresses three challenges faced by prior processor fuzzers:
NEIGHBORHOOD
No graph connections found for this entity yet. It may appear in future ingestion runs.
explore full graph →RELATIONSHIPS
1 connectionsMorFuzz is designed to efficiently detect software triggerable hardware bugs.
LINKED ENTITIES
5 linksMorFuzz IMPLEMENTS Extracted graph relationship
CVA6 EVALUATED_TARGET CVA6 is explicitly evaluated as one of the three real-world open-source RISC-V processors under test in MorFuzz, and bugs B8–B17 were found in it.
Rocket EVALUATED_TARGET Rocket is explicitly evaluated as one of the three real-world open-source RISC-V processors under test in MorFuzz, and bugs B1–B3 were found in it.
BOOM EVALUATED_TARGET BOOM is explicitly evaluated as one of the three real-world open-source RISC-V processors under test in MorFuzz, and bugs B4–B7 were found in it.
spike EVALUATED_TARGET Spike is the RISC-V reference ISA simulator used as a co-simulation reference, and was also found to contain bugs B18 and B19.
CITATIONS
25 sources25 citations — click to expand
[1] MorFuzz is a generic RISC-V processor fuzzer compatible with various microarchitectures, published at USENIX Security 2023. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[2] MorFuzz is evaluated on three popular real-world RISC-V processors (CVA6, Rocket, BOOM) and discovers 17 new bugs with 13 CVEs assigned. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[3] MorFuzz source code is released at https://github.com/sycuricon/MorFuzz. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[4] RISC-V is an open-source reduced instruction set architecture composed of a base integer instruction set and optional extensions (M, A, F/D, C, CSR, instruction-fetch fence). MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[5] RISC-V base instruction formats shown in the paper are R, I, S, B, with fields funct7, rs2, rs1, funct3, rd, opcode, and varying immediate fields. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[6] MorFuzz uses a stimulus template input structure with primitives that mutate inputs at the processor state, instruction field, and program semantic levels. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[7] MorFuzz uses runtime instruction morphing that collects contextual information from the DUT and mutates instructions with valid formats and meaningful semantics, with coverage correctly reflecting mutation effects. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[8] MorFuzz extends a co-simulation framework to various microarchitectures and adds state synchronization to eliminate legal differences between hardware and a software reference model. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[9] Software reference models are inherently different from hardware, and not all differences are bugs; these false positives caused by implementation differences can mislead fuzzers. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[10] Bug B1 (Rocket): aes64ks1i with rcon greater than 0xA does not throw an illegal-instruction exception; CVE-2022-34632, CWE-327. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[11] Bug B6 (BOOM): floating-point instructions with illegal rm fields (such as 5 or 6) execute without raising an exception; Issue #458, CWE-391. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[12] Full Table 2 bug inventory lists 19 bugs (B1–B19) across Rocket, BOOM, CVA6, and Spike, with 13 CVE assignments and 9 fixed. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[13] Bugs not concentrated in specific hardware functional modules that require numerous instructions with specific semantics to prepare a buggy environment are collectively called complex logic bugs. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[14] Table 3 compares the average time to reproduce bugs across MorFuzz, DifuzzRTL, riscv-dv, and riscv-torture. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[15] MorFuzz monitors the internal runtime states of the DUT to dynamically morph instructions and randomize operands, enhancing the semantics needed to trigger complex logic bugs. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[16] CVA6 uses RV64GC with a 6-stage in-order pipeline and ~24K lines of code; Rocket uses RV64GCHX with a 5-stage in-order pipeline and ~99K LOC; BOOM uses RV64GCX with a 10-stage out-of-order pipeline and ~339K LOC. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[17] MorFuzz found 17 new bugs and 2 already known bugs in total; the authors reported all bugs, helped developers fix 9 of them, and obtained 13 CVE assignments. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[18] Bug B8 (CVA6): an illegal sfence.vma with a non-zero rd is treated as valid; CVE-2022-34633, CWE-1242. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[19] Bug B9 (CVA6): dret with a non-zero rd, which should be zero by specification, is handled as if it were legal; CVE-2022-34634, CWE-1242. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[20] Bug B10 (CVA6): a non-standard fence.i/fence with a non-zero rd causes an exception, even though implementations are expected to ignore rd for forward compatibility; CVE-2022-34639, CWE-1209. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[21] CSR-state-related bugs (e.g., B2, B3, B7, B11) require first setting a CSR to a specific state and then triggering the faulty behavior with an instruction sequence. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[22] MorFuzz reproduces bug B7 significantly faster than riscv-torture and DifuzzRTL. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[23] Binary-level mutations in MorFuzz helped trigger bugs that previous methods did not cover, such as B8. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[24] MorFuzz does not target security-property violations directly; many discovered bugs would most directly support denial-of-service style exploitation. Examples: B10 prevents correct execution of crafted instructions, B13 can make the kernel mishandle exceptions because of a wrong type, and B18 can shut down the system. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)
[25] The exact security impact of functional hardware bugs is often difficult to evaluate without real-world exploitation scenarios. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing (USENIX Security 2023)